Hybrid key establishment
ML-KEM-768 and an ephemeral P-256 ECDH exchange produce independent shared secrets. A domain-separated derivation binds them to the intended vault, devices, trusted-device-list version, object, algorithm suite, and purpose.
Cryptographic architecture
MystSafe treats cloud storage as a transport layer, not as a trusted vault. Every device creates its own independent encryption and signing keys, encrypts secret payloads locally, and verifies what it receives before accepting an update.
This page describes the current beta architecture reflected in the app solution. Protocol details and algorithm-suite identifiers are versioned so clients can reject unsupported or altered data as the design evolves.
Post-quantum layerLattice-based protection
Classical layerEstablished cryptography
One authenticated envelopeEncrypted device-to-device update
Two independent cryptographic paths
Classical cryptography is not a fallback. Key establishment combines both shared-secret paths, and security-sensitive envelopes require both signature paths to verify.
Current beta cipher suite
ML-KEM-768 and an ephemeral P-256 ECDH exchange produce independent shared secrets. A domain-separated derivation binds them to the intended vault, devices, trusted-device-list version, object, algorithm suite, and purpose.
ML-DSA-65 and ECDSA P-256 sign the same canonical security context. Verification requires both signatures and the expected device key identities.
AES-256-GCM protects payloads and wrapped content keys with fresh nonces and authenticated context. SHA3-256 commits to protocol content and key identities.
Encrypted update lifecycle
An update is more than ciphertext. It is a versioned, signed object with enough bound context for a receiving device to detect substitution, replay, tampering, and unauthorized senders.
Each device generates independent ML-KEM, P-256 ECDH, ML-DSA, and ECDSA identities. Existing private device keys are not transferred to a new device.
The sender creates a fresh 256-bit content key, encrypts the payload, and protects that key specifically for another Active trusted device through both key-establishment paths.
The envelope identifies its protocol and suite, vault, exact object path and type, signer, trusted-device-list version, timestamps, encryption details, and payload hash.
The chosen storage provider receives the signed encrypted object. It does not receive the private device keys required to unwrap its secret payload.
The recipient checks the expected path and vault, supported suite, active signer, expiration, payload hash, and both signatures. A failed check rejects the object.
Trust boundaries
MystSafe is designed to reduce centralized trust without pretending that cryptography makes every surrounding system invisible.
Protected by the protocol
Not an anonymity claim
Device-bound access
On supported Apple release builds, a random device-storage key is protected with device-only Keychain policy and local user presence. Face ID, Touch ID, a device passcode, or macOS authentication authorizes the operating system to release protected key material; biometrics are not used as cryptographic keys.
Post-quantum private keys are software-protected beneath that device security layer. MystSafe does not claim they are natively hardware-backed.
Join the early-access list or send the MystSafe team a security question.